vidhar: nftables...

1 files changed, 9 insertions, 3 deletions

diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft
index 5a6d2c4e..f4e2aa94 100644
--- a/hosts/vidhar/ruleset.nft
+++ b/hosts/vidhar/ruleset.nft
@@ -24,8 +24,8 @@ table inet filter {
     iifname eno1 oifname dsl counter accept
     iifname dsl oifname eno1 ct state {established, related} counter accept
 
-    oifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local accept
-    oifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl accept
+    oifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local counter accept
+    oifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl counter accept
 
 
     limit name lim_reject log prefix "drop forward: " counter drop
@@ -72,7 +72,13 @@ table inet filter {
 
   chain output {
     type filter hook output priority filter
-    policy accept
+    policy drop
+
+
+    oifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local counter accept
+    oifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl counter accept
+
+    meta l4proto != { ipv6-icmp, icmp, igmp } counter drop
 
     counter
   }